DevSecOps, as the extension of DevOps with security training and tools, has become a popular way of developing modern software, especially in the Internet of Things arena, due to its focus on rapid development, with short release cycles, involving the user/client very closely. Security classification methods, on the other hand, are heavy and slow processes that require high expertise in security, the same as in other similar areas such as risk analysis or certification. As such, security classification methods are hardly compatible with the DevSecOps culture, which to the contrary, has moved away from the traditional style of penetration testing done only when the software product is in the final stages or already deployed. In this work, we first propose five principles for a security classification to be \emph{DevOps-ready}, two of which will be the focus for the rest of the paper, namely to be tool-based and easy to use for non-security experts, such as ordinary developers or system architects. We then exemplify how one can make a security classification methodology DevOps-ready. We do this through an interaction design process, where we create and evaluate the usability of a tool implementing the chosen methodology. Since such work seems to be new within the usable security community, and even more so in the software development (DevOps) community, we extract from our process a general, three-steps `recipe' that others can follow when making their own security methodologies DevOps-ready. The tool that we build is in itself a contribution of this process, as it can be independently used, extended, and/or integrated by developer teams into their DevSecOps tool-chains. Our tool is perceived (by the test subjects) as most useful in the design phase, but also during the testing phase where the security class would be one of the metrics used to evaluate the quality of their software.

翻译：DevSecOps作为融合安全培训与工具的DevOps扩展，因其注重快速开发、短发布周期及紧密的用户/客户参与，已成为现代软件开发（尤其在物联网领域）的流行范式。相比之下，安全分类方法作为繁重而缓慢的流程，需要与风险分析或认证等类似领域同等的高阶安全专业知识。因此，安全分类方法难以兼容DevSecOps文化——后者恰恰摒弃了传统渗透测试仅在软件产品最终阶段或部署后实施的模式。本研究首先提出安全分类实现"DevOps就绪"的五项原则，其中两项将成为全文焦点：基于工具化实现，以及便于非安全专家（如普通开发人员或系统架构师）使用。随后我们通过案例演示如何使安全分类方法适配DevOps流程。这一目标通过交互设计过程实现，我们创建并评估了实施选定方法的工具可用性。鉴于此类研究在可用安全社区乃至软件开发（DevOps）社区尚属新兴领域，我们从设计过程中提炼出通用的三步"配方"，供其他研究者在实现安全方法论DevOps就绪时参考。本研究所构建的工具本身即是该过程的贡献成果，开发团队可将其独立使用、扩展和/或集成至DevSecOps工具链中。测试对象反馈表明，该工具在设计阶段最具实用价值，同时在测试阶段也能发挥作用——安全等级可作为评估软件质量的指标之一。